Cybercriminals continue to develop new ways and technologies to gain access to your personal information and hack your accounts. They also exploit human error, vulnerabilities, and trust to commit their crimes. Here we highlight two types of threats, along with best practices to reduce your risk of becoming a victim of cybercrime.
What is deepfake audio?
Deepfake audio (aka voice swapping) uses a machine-learning algorithm to mimic the voice of a real person on the phone or in a video. For example, a cybercriminal can fake the voice of a senior executive to trick employees into believing they’re being talked to by someone in a position of authority and instructed to carry out orders, such as to facilitate a money transfer or share information.
The primary use of deepfake audio/voice swapping is to enhance Business Email Compromise (BEC) in order to falsely authorize payments. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.
Deepfake audio is one of the most advanced new forms of Artificial Intelligence (AI) underpinning cyber-attacks. The attacker creates a voice model by feeding a computer algorithm into data containing voice samples of the mimicked individual, which are often collected from public sources such as speeches, presentations, corporate videos, and interviews. Once a sufficiently robust deepfake audio profile is built, it can be used with specialized text-to-speech software to create scripts for the fake voice to read. These can take considerable time and resources to create, and the most advanced hackers can create a voice profile by incorporating up to 20 minutes of audio.
What can you do about deepfakes?
- Increase awareness, especially among senior executives, of the risk of this type of cyber-attack.
- Remind staff that just because a communication appears to come from a senior executive doesn’t mean they should comply immediately if the request is outside the company’s processes or if it seems suspicious or extremely urgent.
- Pay attention to any requests for deviations from organizational processes around wiring money or sensitive transactions.
- Ensure that employees who make wire transfers are trained on BEC and deepfake audio scams.
- Verify suspicious requests or instructions by calling the person on the phone directly using a recognized number (such as the executive’s desk or personal mobile phone) or by sending them an email to confirm that the call or video is legitimate.
What is voice phishing (vishing)?
Vishing is the criminal practice of using social engineering over the telephone to gain access to, or trick people into providing, private, personal, or financial information, usually with the promise of financial reward. The cybercriminal makes a phone call or leaves a voice message purporting to be from a reputable company in order to induce individuals to reveal personal information, such as bank details and credit card numbers. Vishing uses the same techniques as in phishing emails but is done over the phone instead.
What can you do about vishing?
- Never provide sensitive information (e.g., your Social Security number, bank account information, addresses, or the names of others in your organization) to an unsolicited caller.
- Always verify the caller by asking for their name and phone number. Verify the authenticity of the request by calling the number back and checking that the caller is who they say they are.
- It is acceptable to say to someone who you think may be suspicious, “Let me take your name and number and I will get back to you”— especially if they say they are in a rush and are trying to hurry you.
- Never assume that what appears to be an internal message or caller is legitimate, especially if the caller is asking for sensitive information. Avoid describing reporting relationships and other organizational information, including names of staff members in sensitive areas (e.g., money transfer, HR). If the caller claims to be employed by the bank, check their name in the directory, and use that information to call, email, or instant-message the person for verification.
- These are some telltale signs a caller might be a criminal intending to do harm:
- The caller asks for organizational reporting relationships or other sensitive information.
- The caller says they need the information urgently. Requests that contain a sense of urgency to take some action are often red flags — rarely is it urgent to reply to a message immediately, so check to make sure the request is legitimate before responding.
- The caller claims to be from a government agency or a technical support team and asks for sensitive, personal information such as passwords to systems and applications.
These are all methods that can reduce your risk of falling prey to sophisticated cybercriminals, and we encourage you to consult these tips as needed and periodically to refresh your memory.
Business Email Compromise – What You Need To Know Now
Supply chains and cyber security risk - Corporate Cybersecurity News
What is zero trust? Corporate Cybersecurity News – October 2021
Cyber Threat Trends to the Remote Work Landscape - Telecommuting